Internal

Iteolih: RPC vulnerability implementation party

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

With some exploits libemu does not give a correct shellcode profile or does not detect a shellcode - this will mostly be the case because of unicode encoding or some other custom encapsulation in the rpc packets. We will add some heuristics later which can preprocess the data to improve libemu's detection.

The honeypot also already supports shell emulation and ftp/http/tftp downloads of malware - but this was turned off for the above tests.

Feel free to checkout the honeypot's code and try it for yourself. We need testing and feedback! As documentation is rather small, feel free to ask questions in the nepenthes IRC channel.